XWorm RAT Expands as a Leading Malware-as-a-Service Threat
Trellix reported that XWorm has emerged as one of the most prominent remote access trojans in the underground malware market, gaining traction through a malware-as-a-service model that lowers the barrier to entry for cybercriminals. The malware is marketed as a flexible, feature-rich RAT that supports common post-compromise activity, giving operators capabilities typically associated with broader criminal toolkits rather than a single commodity implant.
The report says XWorm’s rapid adoption is being driven by active underground promotion, ease of use, and functionality that appeals to both inexperienced and established threat actors. Its growth underscores how commercialized malware ecosystems are accelerating the spread of scalable intrusion tools, increasing the likelihood of credential theft, persistent access, surveillance, and follow-on attacks across enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Trellix publishes analysis of XWorm's rise in the malware market
Trellix published research describing XWorm as a malware-as-a-service offering that is outpacing other remote access trojans in the underground market. No earlier discrete real-world events are provided in the reference content.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
XWorm 6.0 Malware Resurgence with Enhanced Plugins and Ransomware Capabilities
XWorm, a modular remote access trojan (RAT) first observed in 2022, has re-emerged in the threat landscape with significant enhancements in its latest versions, including 6.0, 6.4, and 6.5. The malware, originally developed by an individual known as XCoder, has evolved into a highly versatile tool capable of supporting a wide array of malicious activities on compromised Windows hosts. After XCoder abandoned the project and deleted their Telegram accounts, multiple threat actors began distributing cracked versions of XWorm, leading to a surge in its adoption and deployment. The new variants now support over 35 specialized plugins, enabling functionalities such as data theft from browsers and applications, keylogging, screen capture, clipboard monitoring, and even ransomware operations that can encrypt or decrypt files. XWorm’s modular design allows operators to issue commands from external servers, including downloading files, opening URLs, shutting down or restarting systems, and launching distributed denial-of-service (DDoS) attacks. The malware is primarily propagated through phishing emails and malicious websites, often using deceptive installers for legitimate software like ScreenConnect or Discord. Infection chains have been observed leveraging Windows shortcut (LNK) files and malicious JavaScript to execute PowerShell commands, sometimes bypassing Antimalware Scan Interface protections. The last version developed by XCoder, 5.6, contained a remote code execution vulnerability, which has been addressed in the newer releases. XWorm’s anti-analysis and anti-evasion mechanisms allow it to detect virtualized environments and cease execution to avoid detection. The malware’s popularity is underscored by campaigns that have resulted in tens of thousands of infections, with significant activity noted in countries such as Russia, the United States, India, Ukraine, and Turkey. Some threat actors have even used XWorm as a lure to target less-skilled cybercriminals, embedding backdoors to steal data from those attempting to use the malware. Security researchers, particularly from Trellix, have documented a marked increase in XWorm samples on platforms like VirusTotal since June, indicating widespread adoption among cybercriminals. The rapid evolution and prevalence of XWorm highlight the critical need for robust security measures, user awareness, and advanced detection capabilities to mitigate the risks posed by this adaptable malware. Organizations are advised to monitor for phishing campaigns, scrutinize suspicious attachments and downloads, and ensure endpoint protection solutions are updated to detect the latest XWorm variants. The ongoing development and distribution of XWorm by multiple actors suggest that it will remain a persistent threat in the cybercrime ecosystem.
Mar 21, 2026
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Mar 21, 2026
New Remote Access Trojans Expand Stealth and Surveillance Capabilities
Threat researchers reported multiple **remote access trojan (RAT)** developments that emphasize stealth, surveillance, and post-exploitation flexibility. A new **Remcos RAT** variant was observed adding real-time surveillance features (including on-demand webcam streaming) and keystroke transmission, while improving evasion through modular DLL plugins, encrypted C2 with in-memory-only config decryption, and dynamic API resolution; it also attempts to reduce forensic artifacts by deleting collected data (e.g., screenshots, audio, keylogging output, cookies) and removing persistence-related registry entries. Separately, Elastic detailed a **ClickFix** social-engineering campaign that uses compromised legitimate websites as delivery infrastructure to deploy a previously undocumented Windows RAT dubbed **MIMICRAT** (*AstarionRAT*). The intrusion chain includes a multi-stage PowerShell flow with **ETW and AMSI bypass**, a Lua-based shellcode loader, and HTTPS C2 on port `443` using traffic patterns designed to resemble web analytics; the implant supports token impersonation, SOCKS5 tunneling, and a broad command set, with suspected end goals of **ransomware deployment or data theft**. In parallel mobile-focused reporting, Zimperium described **ZeroDayRAT**, a cross-platform Android/iOS spyware-style RAT distributed via social engineering and sideloaded apps, enabling screen capture, keylogging, and credential/file exfiltration, highlighting continued convergence of surveillance and remote-control capabilities across endpoints.
Mar 21, 2026